Kiva's mission is to connect people through lending for the sake of alleviating poverty.

Kiva is the world's first person-to-person micro-lending website,
empowering individuals to lend directly to unique entrepreneurs in the
developing world. The people you see on Kiva's site are real
individuals in need of funding - not marketing material.

When you browse entrepreneurs' profiles on the site, choose
someone to lend to, and then make a loan, you are helping a real person
make great strides towards economic independence and improve life for
themselves, their family, and their community. Throughout the course of
the loan (usually 6-12 months), you can receive email journal updates
and track repayments. Then, when you get your loan money back, you can
relend to someone else in need.

Here's a snippet from Gunnar's posting which describes his experience with Kiva:

About a year ago, we signed up for Kiva, which is a microlender. One of our first loans went to Sith Saron, who lives in Siem Reap Province in Cambodia. She needed a $1,000 for a cow, seeds, and a motorcycle for her farm.

Sith Saron is 37 years old and the mother of 7 children. She sells Khmer traditional cakes such as Num Korm, Num Bot, and Num Krouk to the people in her community and usually earns up to $4 each day. Her husband, meanwhile, works in his rice paddy growing crops as well as several kinds of vegetables. Two of her children are employed at a hotel, but the others are students.

The loan had a 18 month pay back date, and just a couple of weeks ago (about 10 months after taking out the loan), she paid the loan in full

If you are interested in helping me -- and thus others -- with contributing to the micro-loan movement, either sign-up to donate directly yourself, or feel free to donate via gift certificate to my pool and we can make an even bigger difference!

If you want to send a Kiva certificate, you can do so through the PayPal-enabled link above and use my email addy as the target recipient: choff [@] packetfilter.com

At my birthday BBQ bash this weekend, in lieu of gifts I've asked for folks to donate to my pool for this year to fund multiple loans.

My family of three young girls and my lovely wife are all very excited about being able to participate in this process both domestically and internationally.

In fact, all three of my kids are invested in giving up material goods and gifts in exchange for donations to Kiva. How cool is that?

Thanks to Gunnar again for the motivation and Thomas Barnett for his inspiring words.

August 27, 2007

Per my offer last week, I received a positive response to my query asking if folks might find useful a set of well-written policy and procedures that were aligned to ISO17799. I said that I would do the sanitizing work and release them if I got a fair response.

My only caveats for those who download and use these is please don't sell them or otherwise engage in commercial activity based upon this work.

I'm releasing it into the wild because I want to help make people's lives easier and if these P&P's can help make your environment more secure in the long term, great. I don't want anything in return except perhaps that someone else will do something similar.

I must admit that I alluded to a lot of time, sweat and tears that *I* contributed to this document. To be fair and honest in full disclosure, I did not create the majority of this work; it's based upon prior art from multiple past lives, and most of it isn't mine exclusively.

As a level-set reminder:

The P&P's are a complete package that outline at a high-level
the basis of an ISO-aligned security program; you could basically
search/replace and be good to go for what amounts to 99% of the basic
security coverage you'd need to address most elements of a well-stocked
security pantry.

You can use this "English" high-level summary set to point to
indexed detailed P&P mechanics or standards that are specific to
your organization.

All you need to do is modify the header/footer with your company's logo & information and do a search/replace for [COMPANY] with your own, and you've got a fantastic template to start building from or add onto another framework with.

Please let me know if this is worthwhile and helped you. I could do all sorts of log tracking to see how many times it's downloaded, etc., but if you found it helpful (even if you just stash it away for a rainy day) do let me know in the comments, please.

I also have a really good Incident Response Plan that I consolidated from many inputs; that one's been put through at least one incident horizon and I lived to tell about it.

August 22, 2007

I have spent a lot of time, sweat and tears in prior lives chipping away at building a template set of IT/Information Security policies and procedures that were aligned to (and audited against) various regulatory requirements and the 10 Domains/127 Controls of ISO17799.

This consolidated set of P&P's is intact and well written. Actual business people have been able to read, understand and (gasp!) comply with them. I know, "impossible!" you say. Nay, 'tis rational is all...

As part of my effort to give back, I thought that many of you maybe at a point where while you have lots of P&P's specific to your business, not having to reinvent the wheel by drafting this sort of polished package yourself or paying someone to do it might be useful.

The P&P's are a complete package that outline at a high-level the basis of an ISO-aligned security program; you could basically search/replace and be good to go for what amounts to 99% of the basic security coverage you'd need to address most elements of a well-stocked security pantry.

You can use this "English" high-level summary set to point to indexed detailed P&P mechanics or standards that are specific to your organization.

Would this be of some use to you? I would need to do some work to take care of some rough spots and sanitize the word doc, but if there is enough interest I'll do it and post it for whomsoever would like it. Just to be clear, the P&P's are already written, I'll just make it SEARCH/REPLACE friendly.

I'm not trying to tease anyone, I just don't want to do the up-front work if nobody is interested.

Let me know in the comments; no need to leave website links (for obvious reasons) just let me know by your comment if this is something you'd like. If I get enough demand, I'll "get her done!"

OK, good enough. Thanks for the comments. I'll post it up in the next few days. Thanks guys.

July 21, 2007

The only thing worse than when people find out you're in the "computer industry" and ask you to diagnose why their USB-powered combo blender/Easy-bake oven keeps giving them the BSOD is when they find out you're in the "computer security" field and ask you to diagnose why their Symantec (nee Norton) Uber Blocking Pop-Up Personal Firewall prevents them from connecting to AOL.

Sometimes, however, I feel compelled to volunteer myself when I know I can quickly help so I can feel good about "giving back" and make the world a more secure place.

Today was such a day.

I took the kids to our local candlestick bowling joint en route to a matinee screening of "Hairspray" the movie (very good, by the way.) As the kids were knocking down frames thanks to the bumpers in the gutters, I went to the ATM for monetary reinforcement in order to buy the requisite pop and pizza.

As I approached the machine, the floor manager -- noticing that I was going to use the ATM -- scurried to plug the machine in so I could use it. Noticing that it was a Tranax unit since this particular marque has been in the news lately due to security concerns, I happily queried the manager as to whether or not they had changed the default password on the machine.

I don't really know why I did this. Perhaps because I wanted to settle a bet with myself or just to show off my mad security current event skillz. Honestly, I think I just wanted to see what would happen under controlled circumstances. Nevertheless, I asked and waited patiently for a response as the machine whirred and clicked.

She looked at me puzzled and asked what I meant and why. At which point I was going to be content in alerting her to the potential that someone could easily use the Internet to gain 10 seconds of courage and rip them off by re-programming the ATM to think it was giving out $5 bills instead of $20 bills by gaining access to the admin. interface via the default password.

At the exact moment I said this, the machine finished booting as she walked away shrugging her shoulders wondering no doubt why this tattooed idiot in bowling shoes was trying to "help." As she did this, the screen started blinking alerting me that the cash magazine was empty and if would I like to enter the Administrator mode.

I called her back over to the ATM and said "watch" at which point I was queried for the administrative password which I dutifully keyed in as "######" (not shown so I don't enable those idiots who can't manage to find the real number via Google.) The myriad of administrative options was splayed out before me and we walked through the various scenarios that might appear should we execute.

Das machine was owned and now she understood.

We agreed that this was a bad thing and that she should unplug the machine until the owner who serviced the unit could be contacted. I suggested that she find a way to make sure that nobody could plug it back in easily and I walked her through changing the password.

I figured I'd done a good deed and proceeded go out into the parking lot and scour my car for loose change so I could at least buy the kids a soda since I could no longer get cash and I didn't exactly trust their security to use my credit card at this point.

I returned to find the manager giving me back the $23 I paid for bowling in return for the security lesson.

I thanked her for the trade and got the hell out of there before she asked me how to update the anti-virus signatures on the point of sale terminal that took credit card payments...

The moral of the story? Don't be afraid to offer a little security help every once in a while. You never know, it might earn you $23 and some free bowling. Karma. Nice.

Now I'm going to visit the Mobil station down by the highway...they have the same machines. I could always use some free gas ;)